Deny all traffic, allow only DNS,HTTP,HTTPS firewall rule

[newman87]

Hi,
I am interested to deny all traffic except from DNS, HTTP, HTTPS.
So I created 4 firewall rules on the WAN interface.(3 rules Allow,1 Rule Block)

1)Allow DNS (Source WAN net, Port 53, Traffic In - Destination Any, Port Any)
2)Allow HTTPS (Source WAN net, Port 443, Traffic In - Destination Any,Port Any)
3)Allow HTTP (Source WAN net, Port 80, Traffic In - Destination Any, Port Any)
4)Deny All (Source WAN net, Port any, Traffic Out - Destination Any, Port Any)

I have an image with the rules attached.

I tried everything but nothing works.Could the issue be the Traffic In/Out?Also,in order to block both Incoming traffic and Outcoming traffic(except DNS,HTTP,HTTPS),should I use also another Block rule? (I read that this is not needed,since Opnsense is stateful firewall).
Also,is WAN the right interface to add the rules or should I add them to WIFI interface?

Anyone help me?
Thanks in advance

[chropnsense]

Hi,

Try to use Any instead of WAN.

edit: if you want to make it secure, perhaps allow any DNS from LAN not best option. Define certain DNS that you trust (your ISP as an example).

[newman87]

Hi,
thanks for the reply
I tried "any" to all rules,but still all traffic Is blocked,seems the 3 Allow rules don't allow traffic to come to the interface.
Anything else I could try?
Thanks

[marcquark]

You've mixed up Source and Destination ports. You'll probably want source port "any" and destination ports 53/80/443

That would cover the case of traffic coming from the outside to these ports to be allowed. Are you really sure that's what you want? It would expose your OPNsense webinterface to the internet, not exactly best practice.

In OPNsense you always put rules on the interface where traffic comes in. So if you want to allow traffic from your LAN to the outside, put the rules on the LAN interface instead.

[newman87]

Thanks for the reply,I got it working now by set ports on destination.
I also added these rules on LAN.
One more question:Should I create e.g. for the HTTPS traffic,2 rules,one with Direction "In" and one with Direction "Out" so as I do both Ingress(incoming) and Egress(outcoming) filtering?
I read that since Opnsense is a stateful firewall,you can only write one rule and it applies to both directions.Is this correct?

Also, when I disable the Allow DNS rule,I can visit any site,so DNS Allow rule seems of no use.What could be the issue?
Thanks

[marcquark]

Thanks for the reply,I got it working now by set ports on destination.
I also added these rules on LAN.

Do you actually want to allow traffic from the internet towards your firewall on these ports, or is your goal just to let LAN devices out?
If it's the latter, then you should remove the rules from your WAN interface, they're not doing what you think they're doing.

One more question:Should I create e.g. for the HTTPS traffic,2 rules,one with Direction "In" and one with Direction "Out" so as I do both Ingress(incoming) and Egress(outcoming) filtering?
I read that since Opnsense is a stateful firewall,you can only write one rule and it applies to both directions.Is this correct?

This is correct. All you need is a rule from LAN to (in this case) any and destination ports 80 and 443 to allow LAN devices to browse the internet.
In a default setup similar to consumer-grade routers, you will have no rules at all on the WAN interface.

Also, when I disable the Allow DNS rule,I can visit any site,so DNS Allow rule seems of no use.What could be the issue?
Thanks

Please post a screenshot of all rules on all interfaces, plus some additonal info on your DHCP and DNS (Unbound) settings. There could be many reasons

[newman87]

Do you actually want to allow traffic from the internet towards your firewall on these ports, or is your goal just to let LAN devices out? If it's the latter, then you should remove the rules from your WAN interface, they're not doing what you think they're doing.

Actually my goal is to let devices from the WIFI interface out i.e. surfing the internet. So I added the rules on the WIFI interface.I also removed all rules from the WAN, as you suggested. Also, I don't use the LAN interface, so I am not adding any rules there,just the defaults.You can see the rules of my interfaces on the images attached.

Please post a screenshot of all rules on all interfaces, plus some additonal info on your DHCP and DNS (Unbound) settings. There could be many reasons

I have removed the Allow DNS rule for security reasons (as I read). So I followed this guide to redirect DNS queries on my OPNSense DNS router.
https://forum.opnsense.org/index.php?topic=9245.0
Should I also apply a Block rule for external DNS servers, according to this tutorial?
https://www.sunnyvalley.io/docs/network-security-tutorials/how-to-configure-opnsense-firewall-rules#opnsense-firewall-rules-examples
Hm, when I disable the "Redirect DNS to local rule" on the WIFI interface,I still can surf the web.What can be wrong?


Thanks again for your help

[marcquark]

Looks good. Since you're already redirecting all DNS requests to your box, another block rule wouldn't have any effect.
Also why are there two allow-all rules below your last "Deny all traffic" rule? They will probably never match...

Reasons why you might still be able to surf the web even if you disable the rule

• Cache
• Device falling back to Cellular internet
• DoH

What is your goal with redirecting/blocking DNS? You mention it's "for security reasons", but without concrete ideas/plans on what exactly you're going to do with the DNS traffic that you're trying to control, you will most likely end up getting no additional security, and you may even lose some. There are so many things that can go wrong, like accidentally exposing your firewall's Webinterface to the public internet because you don't fully understand what you're doing.
So, ask yourself this first: What security measures do i want to implement in my own DNS resolver that justify the effort of taking control over DNS traffic by means of redirection/blocking in the first place? If you have no answer to that question, it's not worth it.

By all means, i don't want to discourage you here. If you're trying to learn and improve your skills, that's awesome! But maybe, try to enhance your understanding of the different protocol layers and what happens where first. The OSI and TCP/IP reference models are a good starting point. There's also tons of free training materials on Youtube and in other places. Once you're getting more comfortable with your general knowledge of network technology, you'll find it much easier to understand what your firewall and NAT rules actually do, and how the different pieces play together to actually have an impact on your overall security.

On the other hand, if all you want to do is let devices on your wifi surf, just put in an allow-all rule and call it a day ;-)

[newman87]

Hi again,

What is your goal with redirecting/blocking DNS?

Actually I wanted to prevent DNS tunneling, that's why I redirected all DNS requests to Opnsense.

Also why are there two allow-all rules below your last "Deny all traffic" rule? They will probably never match...

These two rules were the default rules, when I received the router with Opnsense preinstalled.I will remove them,as you said,they will never match.

I am new to network security and Opnsense, that's why I don't understand them so well. But I will read, as you suggested, tutorials and watch videos to learn network security, primary to protect my network.

Thanks again for your advice and your time.
All the best